LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

please move this stuff into DNS

please move this stuff into DNS

Posted Dec 26, 2008 3:36 UTC (Fri) by TRS-80 (subscriber, #1804)
In reply to: please move this stuff into DNS by drag
Parent article: SSL man-in-the-middle attacks

The point isn't how easy/lazy it is, the point is to avoiding have to trust (now apparently) untrustworthy CAs. Maintaining your own CA (is that what you mean by signing certificate?) might be OK if you're the only user, but asking other people to install your CA is a right pain, and then you have to worry about keeping the CA secure, plus all the regular PKIX hassles of updating certs etc.

(Log in to post comments)

Security problems with CAs

Posted Dec 26, 2008 13:21 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

Sad fact is that really checking is expensive, and CAs aren't in the business of "wasting" money to then turn a paying customer away... plus certificates are the same whether they are meant to protect (probably not very interesting) email from prying eyes, commercial transactions in the range of a few tens of dollars, or multi-million dollar movements. The association of the "personal" certificate with all sorts of identifying data makes the planned use of those a privacy nightmare. The whole concept is deeply flawed. For an in-depth discussion of the current issues, look at Peter Gutmann's PKI tutorial (a large PDF presentation).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds